Hacker News new | comments | ask | show | jobs | submit login
Understanding the ginormous Philippines data breach (troyhunt.com)
261 points by Flimm on Apr 14, 2016 | hide | past | web | favorite | 90 comments

> As serious as the info above is, it’s only scratching the surface. Per the reports linked to earlier, there’s also biometric data relating to fingerprints in the system. This contains columns names such as these:


> The values within there can be quite detailed and I’ve no reason to think that this isn’t indeed legitimate print data uniquely and biologically identifying the owner. You don’t get to reset that stuff once it’s been released into the wild!

That's one of the biggest dangers in using biometrics as a factor in authentication. Once it leaks (and keeping data safe is one of the hardest task in today's world) there is no changing, no resetting, it is out there and rendered useless at best or a vector for identity theft at worst.

The whole notion of using fingerprints for authentication is weird. Essentially something that's akin to a username is being used as a password.

I've wrote about this practice the other day[0]. It's interesting to observe that when Apple announced Touch ID for example it was presented as something with improved security.

0: https://hugotunius.se/2016/04/11/why-i-disabled-touch-id-and...

Touch ID is like a bike lock. It won't stop a sophisticated attacker, but it's enough to stop your coworkers from reading your messages, and it makes the phone worthless for thieves.

The biggest advantage of Touch ID is that people who never had a passcode on their phone now use it.

Problem with passcodes on mobile phone is that you need enter them so often that shoulder surfing becomes a problem.

Thank you! Yes, absolutely. People need to learn the difference from "secure, in theory, in a perfect world" and "secure enough, in practice, in the real world". Just about every disagreement in this thread is from two people who are talking about two entirely different concepts of security.

That's a good point. For people who never had a passcode it's big step up in security. It definitely depends on what the threat model is. If you are protecting yourself from coworkers it might be enough(depending on who your coworkers are). If you are protecting yourself against state level actors such as the FBI it's probably pretty worthless.

It doesn't on its own, but the secure enclave (that was created, in part, to keep biometrics data secured) sure does.

I think Touch ID does improve security in practice for most people, because it makes it practical to use a proper password for your phone, rather than a four-digit passcode or no passcode at all, as most people did before.

You have to consider the limitations it has as well. An attacker could potentially lift your fingerprints and use it to unlock your phone. But they only get five chances to fool the sensor before Touch ID disables itself, and they have to do their work within 48 hours of when you last entered your password.

As with all things security, the important question is what sort of threats your defending against. For the scenario where I lose my phone or I get mugged, Touch ID is fine. If I'm defending against police seizing it as evidence, it's probably fine. I'd be surprised if the police could move quickly enough to make the deadline. For police encounters I know about ahead of time (like passing through customs), it's easy to shut the phone off to temporarily disable Touch ID. The only scenario where it likely fails is a targeted attack by someone with sophistication, like if the FBI thinks I'm a terrorist, and I'm not particularly worried about defending against that.

Note that your six-digit PIN doesn't necessarily save you here either, although it would buy time. Whatever the FBI did to the infamous San Bernardino iPhone would probably work on yours in a longer but practical amount of time.

People often say that fingerprints are usernames, not passwords. I don't think that's very useful. A fingerprint doesn't fit inside the old username/password ideas, it's something different from both, with its own unique properties.

That comic is irritating. Most people are far more concerned with lost devices and opportunistic theft than they are worried about targeted theft or malicious actors with wrenches. Encryption reduces the pain of the lost or casually stolen device, it doesn't have to resist a wrench to be useful.

eh, it's a comic, all the nuances of security problem are hard to fit in a two panel punchline - but highlights the same thing, that the threat model is not the same for everyone.

>it's something different from both, with its own unique properties.

No, it's a username that is physically tied to the user. If I can get that data (fingerprint) then I don't need to go through the usual rigmarole of password hacking.

Fingerprints are literally "one factor auth".

That doesn't mean that they're usernames. You can say this about passwords too: if you can get that data (password) then you don't need to go through password cracking, and they're literally "one factor auth."

Consider an example. Imagine if HN authenticated based only on the username. Could you get into my account? Now imagine if HN used fingerprint authentication. Would that make it harder?

Your analogy only works if usernames were stored in a secret database, not displayed publically.


Because this is the assumption behind using fingerprints as authentication.

That's my whole point. Usernames are public info, passwords are private, and fingerprints occupy a weird in-between world where they're sort of public but difficult to obtain and difficult to use if you're not the one whose fingers they're on.

Though nothings perfect. Has anyone in practice managed to steal anything at all by hacking Touch ID?

It's not really about hacking Touch ID. Apple has published a really thorough whitepaper[0] on the security of Touch ID and the secure enclave. I don't really think that hacking the Secure Enclave to extract fingerprints is even possible.

The problem I see is using fingerprints which are unique to your person, unchangeable, and spread around us in a very liberal fashion as passwords.

Imagine for a second that the San Bernardino iPhone had used Touch ID, don't you find it highly plausible that the US government would be able to find a good fingerprint that could be used to unlock the phone? I guess they even had his body at hand so it would have been dead simple.

0: https://www.apple.com/business/docs/iOS_Security_Guide.pdf

> Imagine for a second that the San Bernardino iPhone had used Touch ID, don't you find it highly plausible that the US government would be able to find a good fingerprint that could be used to unlock the phone? I guess they even had his body at hand so it would have been dead simple.

That is a very good observation and puts Touch ID in perspective. If you died today would you be ok with your family and/or friends being able to unlock your phone and go through all your personal data? Sure, there may be genuine reasons for them to do so but still, all your data will be at their fingertips and even if you "trust" that they'll limit themselves to only look for the relevant information to get your things in order they still have to sift through a lot data you may not want them to.

Touch ID has been hacked in various ways - I think you can use a photo derived from someones hands and it's probably possible from fingerprints on the phone. Then again passwords can be grabbed, locks can be picked and so on. It would seem to me that what is effective in practice is what counts. I mean yeah for San Bernadino they probably would have got a fingerprint but they got the data anyway so does it matter?

Pretty sure the only time TouchID was hacked involved a lot of equipment and painstaking work to create a fake finger. A photo of someone's hands is almost certainly insufficient.

In other words, citation needed.

TouchID isn't that great at identifying a real finger vs a fake. Someone was able to bypass it using only items that you could buy at a local radioshack and a laser printer within 48 hours after it was released.


I can't find it now but not long after that another group found an even simpler method of printing out a fake print, I did find a much more recent attack based on just using a special conductive ink cartridge in a regular inkjet to directly print something on paper that would work. Bottom line is that it doesn't take a lot of fancy equipment, supplies, or skills to print a fake fingerprint that will fool TouchID.


As for "a photo derived from someones hands", I'm not sure what they meant but if you had a photo that could make out the ridges of someone's fingerprint then yeah absolutely.

Do you think they would have figured all of that out before the phone disabled Touch ID at the 48-hour mark? I'm rather doubtful myself.

You are right, that's an oversight of mine. Didn't keep the 48 hour thing in mind when writing that comment. My bad

As other responders pointed out, Touch ID is definitely an improvement over the status quo, and strikes a reasonable balance between security and convenience. But more relevant to the GP's point in re Touch ID is that Apple doesn't have a database anywhere of fingerprints, and the Secure Enclave is very difficult if not impossible to retrieve data from. In other words, this is biometric ID done as rightly as possible with today's technology.

I'm inclined to agree that it's an improvement over the status quo for people that didn't use passcodes from before.

I do trust Apple more than many other entities and as you say they don't have a database with fingerprints. Further the secure enclave is definitely a secure piece of engineering.

As evident by the linked article though the problem isn't Apple the problem is all the other databases that will have your fingerprints. As Troy says in the article

> The values within there can be quite detailed and I’ve no reason to think that this isn’t indeed legitimate print data uniquely and biologically identifying the owner. You don’t get to reset that stuff once it’s been released into the wild!

Once your fingerprints leak somehow there's no way to reset or change them. To me at least is seems like a really poor idea to use something with those properties as passwords.

Yeah, wow. That's an aspect I've never considered before. I suppose because I figured they would need my actual fingerprint to crack the system, but if you have the values for all the "basis vectors" of the fingerprint that are stored, one could theoretically bypass the sensor and feed the proper sensor output to the authenticating machine. The issue grows larger as this method of authentication grows in popularity.

Definitions can blur since biometric data can play more than one role.

A username can identify (but not authenticate) an individual, biometric data can do both, whereas a password is nothing by itself. It’s only meaningful in conjunction with an identifier as a shared secret in order to authenticate.

Given today's legal climate, this is what I have come up with as a compromise.

* PIN to unlock the phone, no Touch ID. Phone set to self-erase after x attempts.

* TouchID to only unlock 1Password. 30 char master password

* TouchID used for nothing else.

I would welcome any feedback if there is something that I have missed.

> Once it leaks

Leaking? Why do you need a leak? Just follow somebody and wait until he touches something, preferably a glass in a pub or something similar.

One requires targeting a specific individual, but you have a specific goal in mind for those prints. The other involves obtaining several people's fingerprint data. From there, you can figure out what you can actually do with said data

You are right, thanks for the answer!

Your username is even appropriate...

I am very worried with Brazil's push to require biometric fingerprits to vote, AND voting being mandatory...

Considering you need to provide fingerprints to request all sorts of documents, what would the government be able to do that they aren't already able now?

Here's a list of documents you need to provide fingerprints, off the top of my head:

– National identity card (RG), mandatory for all citizens over 18 years of age;

– Military conscription certificate (CAM), mandatory for all male citizens over 18 years of age;

– Voting card (Título de Eleitor), mandatory for all citizens between 18 and 65 years of age, encouraged for all citizens over 16;

– Employment record book (Carteira de Trabalho), mandatory for any formal employment;

– Passports

Also, as of at least three years ago in the state of Rio de Janeiro, some of these were already computerized.

> Considering you need to provide fingerprints to request all sorts of documents, what would the government be able to do that they aren't already able now?

If they already have fingerprints, and now fingerprints are suddenly required for voting, that makes election fraud easier for the government.

How does it make it easier than doing everything the same except not requiring fingerprints?

If you've convinced people that fingerprints prove a person was there and voted, then you have additional weight for your fraud.

In my state these were all just printed on the document (at least last time I had to make documents).

You cannot "hack" a piece of paper easily...

But with mandatory vote + mandatory fingerprint to vote, you just turn that database in a giant juicy target, an attacker can be sure that all voters will have fingerprints there.

Do you have any assurances your paper documents were not immediately scanned? Do you know what kind of access controls are enforced on the file cabinet they're stored in? Are they susceptible to a janitor who gets approached by a shady dude with a briefcase of money? The larger point I'm trying to make is that this is no longer something you have control over and have no guarantees about who else has a copy of it, and therefore should not be relying on it being kept secret, and moreover should assume it has been compromised.

You can require biometrics and still not record them. Just use them as a hash lookup into a keystore. The biometric itself would only exist on the server for a few cycles while the key was being looked up. (Very similar to the way credit cards are done)

Just use them as a hash lookup into a keystore.

This is intuitively appealing, but do biometrics really boil down to an exact number that we could hash like this? (Genuine questions; I don't know.) It seems more likely to me that biometric measurements would be considered to "match" when they're within particular tolerances. This is an operation you can perform on the original measurements, but not on hashes of those.

There is a cryptographic tool called a "fuzzy extractor" that solves this problem (c.f. Fuzzy Extractors: How to Generate Strong Keys from Biometrics and Other Noisy Data, by Dodis, Reyzen and Smith [0]). At enrollment time, you compute some (non-sensitive) data P = Enroll(biometric). Then every time you compute Recover(P, biometric') you will get the same (high-entropy) output, as long as biometric' is close enough to biometric.

[0] https://www.iacr.org/archive/eurocrypt2004/30270518/DRS-ec20...

It is, effectively, what Touch ID does. (It's an over simplification but as an analogy it works)

Unfortunately, that's not how governments around the world require it right now. Estonia for its e-citizenship program, as well as pretty much all countries requiring a fingerprint for passports store the fingerprints in their own centralized database (that also get shared with other nations).

I switched my phone fingerprint to another finger for my phone as soon as I signed-up for a passport.

In the Netherlands we had a passport with fingerprint, and all data stored by the state. Luckily, this was reversed, and now the fingerprint is only stored in the passport itself. Well, that's what I hope, as the fingerprint needs to be stored temporarily for the time to create the passport.

Better, if you don't leave the EU, you can use an identity card that doesn't have the fingerprint.

I was lucky enough to have an old passport that just spanned the period in which the fingerprint was stored centrally. Now I have an ID card, but one time in the future I will leave the EU, and then I have to get a password...


So a piece of plastic the bank gives you with mostly arbitrary numbers on it is better protected than your own fingerprints, which you're stuck with for life?

Good grief.

This sounds like a good idea on the surface but this just shifts the problem.

Ultimately, you still only have 10 fingers (general assumption), and not a large space like 30 char passwords.

However, Fingerprints cannot be practically hashed.

Images can be hashed(and hashed in such a way that minor changes can still lead to the same hash), so images of fingerprints should be hashable.

I found this article from Microsoft a while ago that I thought was particularly interesting.


If someone's going to use biometrics, please just use a face picture. People understand that their face is mechanically recognizable, and don't have the same false confidence in pictures that they have in fingerprints.

They should keep a hash of the finger print info, not the info itself. I don't know how it would work, but keeping biometric data for authentification is indeed potentially worse than keeping plain text passwords.

Like, the output range of a convnet, or something.

Most people have 10 to choose from, 20 if you want, and potentially more if you consider other regions of your skin.

The killer quote for me:

  I actually had to create five new data classes when 
  loading this breach, that is I’d never seen this
  information in a breach before: Marital statuses, 
  Biometric data, Physical attributes, Family members' 

Although this is a lot of data on each person. Each individual field doesn't seem too sensitive on its own.

Electoral enrollment status and place you live is usually public information. It should be to prevent vote fraud.

Without other ID, you give your passport details to every company that uses it for ID, every airline, even the bouncer at a bar. When you're travelling and don't have the local ID, you use it to get a sim card, bus pass, just about everything. It's not really secret.

As for the biometric data, what use would a malicious actor make of that? They can't impersonate you because authentication shouldn't be done with only reproducible biometric data. They could identify you if you're physically touching them, but then they can already see you in person.

Mother's middle name according to the article can usually be predicted by her parents names. Family history and names is also public data. Just ask the Mormon church which hoards it.

The LDS church "hoards" it for a reason. Genealogy and baptisms for the dead.

The Mormon church is really called the Church of Jesus Christ of Latter-day Saints (of which I'm a member). It sounds like you might be thinking of the affiliated, free genealogy site, http://www.familysearch.org. It doesn't disclose data on living persons. But you might really enjoy using it to look up your deceased ancestors. My wife loves it.


A free, fast emacs org-mode replacement which is easier to learn and lets you put the same thing in more than one place at the same time: "Atomic knowledge": http://onemodel.org .

A friend of mine in the Philippines, a security researcher himself, said to me that "the breach itself isn't really serious -- it's the candidate the breach favors thats the bigger controversy"

There is a fear of mass cheating in the presidential election. 1) survey results published in national TV have a wide margin difference with the results in poll using social media(fb, tweeter) 2) At first comelec don't want to print vote count recipient of voting machine with the alibi that it will make the polling period goes longer. 3) No 3rd party source code review.

I find this data breach staggering. With your friend's comment, clearly there is a cultural vector I am completely missing.

Also, please expand on their comment re: the event helping a particular candidate. I don't understand how this incident favors / helps a particular candidate over another.

I'm am sorry but what kind of security researcher can claim that this breach isn't serious? The electoral implications may be a bigger controversy but to suggest that the breach isn't serious it's insane. What is described in the post is nothing short of a nightmare scenario for anyone, no only security-conscious people.

Unfortunately, the government undervalues security and the work of its IT and CS departments. Lots of legacy code/databases and workers are underpaid(compared to the private sector).

I think the person was trying to imply that, in the Philippines, identify theft is less of a big deal than fraud voting.

Can you please elaborate on what you mean?

Fake votes.

My acquaintance tells me the same. Presidential election being less than a month away I can see it being a big thing there, too.

> somehow, last week’s news that 55 million Filipino voters’ data was now out in the wild went largely unnoticed

> ...

> There’s voting history against names (it appears to just be dates rather than the candidate voted for).

So, the data leaked was voter registration info. Actual votes were not in this database.

Other headlines would lead a reader to believe actual votes were leaked. For example, "Megabreach: 55 MILLION voters' details leaked in Philippines". Leaking votes alongside emails would be far more injurious than email addresses and family names.

Maybe in principle, but I think most people would be more upset over personal details and biometric information than they would be over votes.

Yeah I guess people will be upset about what they want. My opinion is the actual votes would be worse. Such data could be used to force someone to vote a certain way, which usurps individuals' freedom of speech.

Any leaked biometric data becomes unusable as an authenticator in the future.

Aren't votes supposed to be anonymous?

Absolutely. My point was some headlines and articles made it sound like votes were disclosed, and you need to dig into the details to discover that's not the case.

Wonder how well hashed that FINGER_INFO is? Any chance to reverse engineer a fingerprint that would give the same hash? That would be awesome, but not in a good way. A false passport including working biometrics. Implementing a new hash would require what before adequate coverage, 15 years? You cannot easily imagine blocking a whole country's access to international travel because of a data leak.

> You cannot easily imagine blocking a whole country's access to international travel because of a data leak.

You cannot do that, not because of the problems for those people, but because it would break trust in the system. It would become apparent how unsafe it is to keep fingerprints stored digitally in a central database. That would be a bigger problem, worldwide. People would demand to get rid of these databases, and I bet many intelligence services would not like that.

You especially couldn't block the Philippines for that reason. Many other nations would cease to operate completely without Filipino labor.

Similarly, personal records for 50 million Turkish citizens got leaked a few days ago: https://news.ycombinator.com/item?id=11420139

Increasely wonder why average person trust any party to secure data that literally belongs to them.

Are there any startups that are building tech allow end-to-end identity management systems? Seems like a huge market.

What choice do you have?

Really depends of the type of data, how it's being used, etc. - is there a specific problem you personally are facing and how big of a problem is it to you?

His point is that the government asks for this information, maybe as a requirement in order to procure official documents needed for everyday life and business. There's not much to do when the government of your country makes your giving of certain information a requirement. Sure, you could fight it in court but it's very likely that that will not get you very far or produce the official documents you may need. Not all governments were founded with the same libertarian strain as the US.

First, not going to assume that's what the comment meant, but happy to address your comment as is.

Basically my position is that I agree it's complex, but I believe possible to address the issue in a way that for all parties (individual,government,3rd-party) that more value is created and less risk exists; this applies universally in my opinion.

Any rate, unclear how responding to my question with questions addresses my question other than to assume that the lack of an answer means that there are no startups that address this issue; meaning any solution I've seen requires a central authority to be involved.

Even if some startup solved the problem, 1) I have to trust them instead of the government, so the problem hasn't really disappeared and 2) you'd have to compel everyone to work with them somehow

Even in the US, for practical purposes you need to hand your data over to private entities, state governments and, yes, even the federal government, at times.

On an etymological side note, I love the origin of the word ginormous:

ginormous |jiˈnôrməs, jī-| adjective informal, humorous extremely large; enormous:

ORIGIN 1940s (originally military slang): blend of gigantic and enormous .

So if I ever traveled to Philippines and scanned fingerprints at the border, anyone in the world can unlock my TouchID?

It's not quite that easy.

But in any case you don't need a data breach to get you fingerprint - it's probably right on the phone.

A fingerprint is the weakest form of security out there.

They don't scan your finger prints at the border in the Philippines. And this is a leak of Filipino citizens' demographic data.

I hope the banks will be cautious on the possibilities of identity thief on loaning on somebody's account.

I'm a potato...

Love it!

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact